FW: [Dshield] odd udp port 0 traffic
Funk Jr, Joseph C.
jcfunkjr at co.bucks.pa.us
Thu Mar 18 21:27:43 GMT 2004
Excuse me, here is that german link,
From: Funk Jr, Joseph C.
Sent: Thursday, March 18, 2004 4:24 PM
To: 'General DShield Discussion List'
Cc: 'jimmythegeek at techemail.com'
Subject: RE: [Dshield] odd udp port 0 traffic
Check this out, this looks very interesting http://people.ists.dartmouth.edu/~gbakos/bindsweep/
about malformed DNS messages involving format error and a possible cause, a virus, called W32/Calypso-tr.
As far as the purpose of the traffic, according to the above link, "it could "result in a denial-of-service (DoS) attack if the server attempts to parse the packet but is unable to"".
and finally directs to this link about the above http://www.fortinet.com/VirusEncyclopedia/search/encyclopediaSearch.do?method=viewVirusDetailsInfoDirectly&fid=526 for a description of the W32/Calypso-tr virus if this is in fact the culprit.
Sidenote, that IP was detected by a fake open relay 'honeypot' back in 2002 doing pings every 40 minutes, along with a few other IP's. Here is the english translation of the posting (its a poor translation but you get the drift).
Joseph C Funk Jr
More information about the list